On Wednesday, the White House declassified a recap of President Donald Trump’s July 25 phone call with Ukrainian president Volodymyr Zelensky, a conversation apparently at the heart of a whistleblower complaint and a broader impeachment inquiry. In the five-page summary, Trump urges Zelensky to contact US attorney general William Barr and Rudy Giuliani, Trump’s personal lawyer, about possible investigations relating to Joe and Hunter Biden. But the notes also contain an unexpected reference to CrowdStrike, a prominent cybersecurity company that most Americans have never heard of.
It’s still not entirely clear what Trump meant, or thought he meant, by bringing CrowdStrike into the conversation, which you can read in full below. But it starts to make a little more sense if you’re willing to look back a few years, and assume some major confusion about digital forensics.
Here’s what Trump said on the call relating to CrowdStrike; all ellipses and punctuation are as they appear in the release: “I would like you to do us a favor, though, because our country has been through a lot and Ukraine knows a lot about it. I would like you to find out what happened with this whole situation with Ukraine, they say CrowdStrike…I guess you have one of your wealthy people…The server, they say Ukraine has it. There are a lot of things that went on, the whole situation. I think you’re surrounding yourself with some of the same people. I would like to have the Attorney General call you or your people and I would like to get to the bottom of it.”
A lot going on there. First of all, CrowdStrike is an incident response firm; it helps organizations that have suffered cyberattacks or are undergoing an active assault. Like other prominent companies of its kind, CrowdStrike conducts digital forensic investigations, and defends its clients in part by removing a hacker’s access to compromised accounts and devices.
So far, so good. Critically, though, CrowdStrike was the firm the Democratic National Committee called in 2016 after the organization discovered that hackers had broken into its email and chat systems and stolen data. The US intelligence community later confirmed that the attackers were Russian hacking group APT 28, also known as Fancy Bear—a moniker coined by CrowdStrike. (The Russian hacking group APT 29, or Cozy Bear, also infiltrated the DNC network in 2015.) When CrowdStrike began its investigation, Fancy Bear hackers still had active access to the DNC’s networks, and CrowdStrike worked to remove them.
As part of that remediation, the DNC, CrowdStrike, and government investigators had to “decommission more than 140 servers, remove and reinstall all software, including the operating systems, for more than 180 computers, and rebuild at least 11 servers,” according to court documents filed by the DNC in 2018.
Trump has had a very public, long-held fascination with that process, for years referring to the DNC’s “missing server.” But when CrowdStrike or another firm investigates an incident, they typically don’t physically remove a client’s devices. Instead, they make “images” of the hard drive and memory of every relevant device so that they can preserve a sort of snapshot of the compromised systems. Over time, digital forensic evidences washes away, as people reboot their devices or add and delete files.
In other words, there is no missing server. There’s no physical box locked away in a vault somewhere. There are simply copies of what the DNC’s systems looked like at the time of the attack, which both CrowdStrike and the DNC confirm were shared with the FBI during the investigation. No U-Haul required.
“With regards to our investigation of the DNC hack in 2016, we provided all forensic evidence and analysis to the FBI,” CrowdStrike said in a statement. “As we’ve stated before, we stand by our findings and conclusions that have been fully supported by the US intelligence community.”